US11516658B2 - Efficient and secure distributed signing protocol for mobile devices in wireless networks - Google Patents

Abstract

The techniques described herein may provide an efficient and secure two-party distributed signing protocol for the identity-based signature scheme described in the IEEE P1363 standard. For example, in an embodiment, a method may comprise generating a distributed cryptographic key at a key generation center and a first other device and a second other device and generating a distributed cryptographic signature at the first other device using the second other device.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No. 62/693,585, filed Jul. 3, 2018, the contents of which are hereby incorporated by reference herein in their entirety.

BACKGROUND OF THE INVENTION

The present invention relates to an efficient and secure two-party distributed signing protocol for the identity-based signature scheme described in the IEEE P1363 standard.

Rapid advances in wireless communications, hardware/software and Internet technologies have led to an exponential growth in the number of users accessing the Internet using mobile, wearable or other Internet of Things (IoT) devices. Identity-based signature schemes have been widely applied to enforce user authorization and validate user messages in mobile wireless networks. Unfortunately, the user's private key used to generate signatures is prone to leakage because the key is being stored on the mobile device. Several (t; n) threshold secret sharing schemes have been proposed to address the issue. However, the private keys in most of those schemes have to be recovered on a single device when generating signatures so that the user who holds the device can sign any message without the participation of other users.

The IEEE P1363 project is well-known for issuing standard specifications for public-key cryptography through a series of IEEE standards documents. The IEEE Standard 1363-2000 consists of the following parts: 1) Traditional public-key cryptography (1363-2000 & 1363a-2004); 2) Lattice-based public-key cryptography (P1363.1); 3) Password-based public key cryptography (P1363.2); and 4) Identity-based public key cryptography using pairings (P1363.3). The BLMQ signature scheme is the identity-based signature scheme in the IEEE P1363 standard, and has been widely used in many practical applications. However, the BLMQ signature scheme does not provide an efficient and secure two-party distributed signing protocol.

Accordingly, a need arises for techniques that provide efficient and secure two-party distributed signing protocol for the identity-based signature scheme described in the IEEE P1363 standard.

SUMMARY OF THE INVENTION

The techniques described herein may provide an efficient and secure two-party distributed signing protocol for the identity-based signature scheme described in the IEEE P1363 standard.

For example, in an embodiment, a method may comprise generating a distributed cryptographic key at a key generation center and a first other device and a second other device and generating a distributed cryptographic signature at the first other device using the second other device.

In embodiments, generating the distributed cryptographic key may comprise generating, at the key generation center, a user ID private key based on a user ID, and a Pallier Paillier key pair comprising a public key and a private key, transmitting the user ID private key, the Paillier public key, and the Paillier secret key from the key generation center to the first other device, and transmitting the user ID private key and the Paillier public key from the key generation center to a second other device. Generating a distributed cryptographic signature may comprise transmitting a message from the first other device to a zero knowledge functionality, the message comprising a request for proof that the second other device possesses the user ID private key and in response to receiving the message from the first other device, transmitting a message from the zero knowledge functionality comprising proof that the first other device possesses the user ID private key. Generating a distributed cryptographic signature may further comprise in response to receiving the message from the zero knowledge functionality, transmitting a message from the second other device to the zero knowledge functionality comprising a request for proof of a relation and in response to receiving the message from the second other device, transmitting a message from the zero knowledge functionality comprising proof that the second other device possesses the relation. Generating a distributed cryptographic signature may further comprise in response to receiving the message from the zero knowledge functionality, transmitting a message from the second other device to the first other device comprising a challenge based on the relation and in response to receiving the message from the zero knowledge functionality and the message from the second other device, computing, at the first other device, a signature based on the user ID private key and on the challenge.

In an embodiment, a system may comprise a key generation center adapted to generate a distributed cryptographic key in communication with a first other device, the first other device adapted to generate a distributed cryptographic signature in communication with key generation center and using a second other device, and the second other device adapted to generate the distributed cryptographic signature in communication with the first other device.

A computer program product comprising a non-transitory computer readable storage having program instructions embodied therewith, the program instructions executable by at least one computer system, to cause each computer system to perform a method comprising: generating a distributed cryptographic key at a key generation center and a first other device and a second other device and generating a distributed cryptographic signature at the first other device using the second other device.

BRIEF DESCRIPTION OF THE DRAWINGS

So that the manner in which the above recited features of the present invention can be understood in detail, a more particular description of the invention, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings. It is to be noted, however, that the appended drawings illustrate only typical embodiments of this invention and the invention may admit to other equally effective embodiments.

FIG. 1 illustrates an example of a typical identity-based signature architecture for the wireless environment.

FIG. 2 illustrates an exemplary flow diagram of the BLMQ signature scheme.

FIG. 3 illustrates an example of the Paillier cryptosystem.

FIG. 4 illustrates an exemplary data flow diagram of distributed key generation in accordance with embodiments of the present systems and methods.

FIG. 5 illustrates an exemplary flow diagram of Phase 1 in accordance with embodiments of the present systems and methods.

FIG. 6 illustrates an exemplary data flow diagram of distributed signature generation in accordance with embodiments of the present systems and methods.

FIG. 7 illustrates an exemplary flow diagram of Phase 2 in accordance with embodiments of the present systems and methods.

FIG. 8 illustrates an example of a system in which embodiments of the present systems and methods may be implemented.

FIG. 9 illustrates an example of results of an experiment to determine performance of the BLMQ signature scheme.

FIG. 10 illustrates an example of results of an experiment to determine performance of the distributed key generation in accordance with embodiments of the present systems and methods.

FIG. 11 illustrates an example of results of an experiment to determine computation costs of the distributed signature generation in accordance with embodiments of the present systems and methods.

FIG. 12 illustrates an example of a computing device in which embodiments of the present systems and methods may be implemented.

Other features of the present embodiments will be apparent from the Detailed Description that follows.

DETAILED DESCRIPTION OF THE EMBODIMENTS

In the following detailed description of the preferred embodiments, reference is made to the accompanying drawings, which form a part hereof, and within which are shown by way of illustration specific embodiments by which the invention may be practiced. It is to be understood that other embodiments may be utilized and structural changes may be made without departing from the scope of the invention. Electrical, mechanical, logical, and structural changes may be made to the embodiments without departing from the spirit and scope of the present teachings. The following detailed description is therefore not to be taken in a limiting sense, and the scope of the present disclosure is defined by the appended claims and their equivalents.

Technologies such as smart mobile devices and Internet of Things (IoT) devices have dramatically changed how we communicate (wired or wirelessly) in today's increasingly interconnected society. The number of smartphone users in the United States is in the hundreds of millions, with the number of smartphone users worldwide in the billions. Ensuring wired network security is generally easier compared to wireless network security. Additional challenges exist with wireless networks because mobile wireless devices tend to be lightweight or have limited communication and storage capabilities (for example, wireless pacemakers, and smart military uniforms). In e-commerce, such as Business to Business (B2B) and Business to Customer (B2C), wireless communications may also be subject to more sophisticated attacks.

Identity-based cryptography is an identity-based signature scheme wherein the user's public key can be obtained from user's ID or email address. Many identity based signature schemes have been proposed. Identity-based signature schemes have been used in many practical applications. FIG. 1 shows a typical identity-based signature architecture 100 for the wireless environment wherein the user's private key 102 must be used when signing. Also shown in FIG. 1, are key generation center (KGC) 104 and the user's identity (ID) 106.

Thus, it is important to be able to authenticate a user and the message. To authenticate an individual, we generally rely on the user “proving” the ownership of the corresponding private signing key by some means. Such private keys are normally stored on the mobile device or smart card, which may be remotely compromised if physically acquired by an attacker.

One common approach is through the use of a (t, n)—threshold secret sharing scheme, which extends the secret sharing. Threshold secret sharing schemes have been used in many applications. In the (t, n)—threshold secret sharing scheme, a private key is shared among n parties. Any information about the private key cannot be obtained from t−1 or fewer shares, and with a subset of t or more shares, the whole private key can be recovered. Thus, threshold cryptography provides a high of level security for the private key because by corrupting less than t−1 parties or devices, the adversary will obtain nothing about the secret.

However, the (t, n)—threshold secret sharing scheme has a limitation. Specifically, any party who holds the recovered private key can sign any document without the participation of other parties. Moreover, the recovered private key is normally stored in a mobile device, which can be compromised. Several two-party protocols have also been designed to mitigate such a reconstruction limitation. Compared with the conventional secret sharing scheme, in a two-party protocol, two parties interact with each other and output a signature without recovering the private key.

The BLMQ signature scheme is the identity-based signature scheme in the IEEE P1363 standard, and has been widely used in many practical applications. In embodiments, the present systems and method may provide an efficient and secure two-party distributed signing protocol for the identity-based signature scheme described in the IEEE P1363 standard.

In embodiments, the present systems and method may provide a two-party distributed signing protocol for an identity-based signature scheme. Embodiments may include protocols that provide improved security, efficiency, and practicality in a wireless environment. Embodiments may include a novel two-party distributed signing protocol, which is a fast threshold cryptography protocol for an identity-based signature scheme. In embodiments, the protocol can generate a valid signature without recovering the private key. Further, a valid signature cannot be generated if one of the participants is not involved. Security analysis of embodiments of the protocol shows that the protocol can satisfy security requirements. Moreover, such security may be proven under the non-standard assumption, and satisfy the zero-knowledge proof analysis.

Preliminaries. Notations. Let D denote a random distribution or set, and xrD denote that x is selected from D randomly. The security parameter is n, and a function μ(n) is negligible, if for any polynomial p, μ(n)=O(1/p(n)). P.P.T denotes a probabilistic-polynomial time algorithm, and KGC denotes a trusted Key Generation Center (KGC). H₁ and H₂ are two secure hash functions, such that H₁: {0,1}*→Z_q, and H₂: {0,1}*→Z_q.

Bilinear pairing let G₁ and G₂ be two cyclic additive groups, G₃ be a multiplicative group, and e:G₁×G₂→G₃ denotes a bilinear map satisfies the following properties:

• • 1. For a₁,a₂∈G₁ and b₁,b₂ ∈G₂, e(a₁+a₂,b₁)=e(a₁,b₁)e(a₂,b₁) and e(a₁,b₁+b₂)=e(a₁,b₁)e(a₁,b₂).
  • 2. For all 0≠a∈G₁, there exists b∈G₂ such that e(a,b)≠1.
  • 3. For all 0≠b∈G₂, there exists a∈G₁ such that e(a,b)≠1.

BLMQ signature scheme. An exemplary flow diagram of the BLMQ signature scheme 200 is shown in FIG. 2. BLMQ signature scheme 200 includes the following four processes. Setup process 202, given a security parameter n, KGC produces the system parameters params. Setup process 202 begins at 204, in which the process chooses G₁,G₂,G₃ and a pairing e:G₁×G₂→G₃. At 206, the process picks a random generator Q₂ of G₂, and calculates Q₁=ϕ(Q₂)∈G₁. At 208, the process generates a random number s∈Z_p as the master secret key, and calculates R=sQ₂ and g=e(Q₁,Q₂). At 210, the process sets the system parameters params=(R,g,Q₁,Q₂,G₁,G₂,G₃,e) as available.

Extract process 212, given a user's identity ID, KGC produces the user's private key. Extract process 212 begins at 214, in which the process computes the identity element h_ID=H₁(ID) in Z_p. At 216, the process outputs K_ID=(h_ID+s)⁻¹Q₁.

In sign process 218, given a message m, the user with the identity ID generates the signature σ. Sign process 218 begins at 220, in which the process computes u=g^r, where r is a random integer. At 222, the process computes h=H₂(m,u) and S=(r+h)K_ID. At 224, the process outputs σ=(h,S).

In verify process 226, given the signature σ=(h,S), the identity ID and the message m, the verifier verifies the validation of the signature. Verify process 226 begins at 228, in which the process computes h_ID=H₁(ID). At 230, the process computes

$u=\frac{e\left(S,h_{\mathrm{ID}}{\mathrm{<figure-callout\; id="2"\; label="Q"\; filenames="US11516658-20221129-D00003.png,US11516658-20221129-D00004.png"\; state="\{\{state\}\}">Q</figure-callout>}}_2+R\right)}{{e\left({\mathrm{<figure-callout\; id="1"\; label="Q"\; filenames="US11516658-20221129-D00002.png,US11516658-20221129-D00005.png"\; state="\{\{state\}\}">Q</figure-callout>}}_1,Q_2\right)}^h}.$
At 232, if h=H₂(m,u), then the process outputs 1, otherwise the process outputs 0.

Zero-Knowledge Proof. The ideal zero knowledge functionality is

_zk, and the standard ideal zero-knowledge functionality is defined by ((x,w), λ)→(λ,(x,R(x,w))), where λ denotes the empty string.

Definition 1: The zero-knowledge functionality

_zk ^R for relation R: Upon receiving (prove,sid,x,w) from P_i (i∈{1,2}): if (x,w) ∉R or sid has been previously used, then ignore the message. Otherwise, send (proof,sid,x) to P_3-i. The non-interactive zero-knowledge proof of knowledge satisfying

_zk can be achieved in random oracle model.

Paillier Encryption. In embodiments, the Paillier cryptosystem may be used for encryption. An example of the Paillier cryptosystem 300 is shown in FIG. 3. Paillier cryptosystem 300 includes the following three processes. Key Generation process 302 begins with 304, in which the process chooses two equivalent length large prime numbers p and q randomly. At 306, the process computes g=n+1, λ=ϕ(n) and μ=(ϕ,(n))⁻¹n, where ϕ)(n)=(p−1)(q−1). At 308, the process outputs the public key, which is pk=(n,g), and the private key, which is sk=(λ,μ)

Encryption process 310 begins with 312, in which the process selects a random number r where r∈Z*_n. At 314, the process computes ciphertext c=Enc_pk(m)=g^m·rⁿ mod n², where 0≤m<n.

Decryption process 316 includes 318, in which the process decrypts the ciphertext as m=Dec_sk(c)=L(c^λn²)·μ mod n, where

$L\left(x\right)=\frac{x-1}{n}.$

In embodiments, Enc_pk(·) denotes the encrypt operation using public key pk, Dec_sk(·) denotes the decrypt operation using private key sk. In the Paillier cryptosystem, there is a notable feature which is its homomorphic properties:

• • 1. Dec_sk(Enc_pk(m₁)·Enc_pk(m₂))=m₁+m₂.
  • 2. Dec_sk(Enc_pk(m₁)^{m 2} )=m₁m₂.
    Let c₁=Enc_pk(m₁), c₂=Enc_pk(m₂), then c₁⊕c₂=Enc_pk(m₁+m₂), m₂⊗c₁=Enc_p,(m₁)^{m 2} .

Two-Party Distributed Signing Protocol. In embodiments, the present systems and methods may provide a two-party distributed signing protocol for the identity-based signature scheme described in IEEE P1363. The two key phases are the distributed key generation phase and the distributed signature generation phase.

Distributed Key Generation. In the distributed key generation phase, the main algorithms are processed by KGC 104, shown in FIG. 1. An exemplary data flow diagram of distributed key generation 400 is shown in FIG. 4. It is best viewed in conjunction with FIG. 5, which is an exemplary flow diagram of Phase 1 500. As shown in FIG. 4, KGC 104 distributes the private key K_ID into two parts.

Phase 1: Distributed Key Generation 500 begins with 502, in which KGC 104 computes the user ID's 402 identity element h_ID=H₁(ID). At 504, 404, KGC 104 selects an integer t₁, and computes t₂=t₁ ⁻¹·(h_ID+s)⁻¹ 406. At 506, 408, KGC 104 sets K_ID ⁽¹⁾=t₁Q₁, and K_ID ⁽²⁾=t₂. At 508, 410, KGC generates a Paillier key-pair (pk,sk) for P₁. At 510, KGC 104 sends (K_ID ⁽¹⁾,pk,sk) 412 to P ₁ 414, and sends (K_ID ⁽²⁾,pk) 416 to P ₂ 418. At 512, P ₁ 414 stores (ID,K_ID ⁽¹⁾,pk,sk) 420 and the public parameter P, and P ₂ 418 stores (ID,K_ID ⁽²⁾,pk) 422 and the public parameter params 424. It is worth noting that we can check the equation K_ID ⁽¹⁾·K_ID ⁽²⁾=(h_ID+s)⁻¹Q₁.

Distributed Signature Generation. In the distributed signature generation phase, P₁ and P₂ select r₁ and r₂ respectively, where r₁r₂=r, and u=g^r ₁g^r ₂. P₁ encrypts r₁ under pk (i.e. C₁=Enc(r₁)), computes R₁=g^{r 1} , and sends R₁,C₁ to P₂. After P₂ receives R₁,C₁, it is trivial for P₂ to compute a ciphertext of S″=(r₁r₂+h)·K_ID ⁽²⁾ under P₁'s public key. In order to prevent revealing any information to P₁, P₂ chooses a random integer

$\rho \stackrel{r}{\leftarrow }{Z}_q,$
and computes the encryption of S″=(r₁r₂+h+ρ·q)·K_ID ⁽²⁾. Then, P₁ can compute S′=S″·t₁, and finally computes the signature S=S′·Q₁.

To verify that the messages that P₁ communicated with P₂ are correct, we use the zero-knowledge proof. An exemplary data flow diagram of distributed signature generation 600 is shown in FIG. 6. It is best viewed in conjunction with FIG. 7, which is an exemplary flow diagram of Phase 2 700.

Phase 2: Distributed Signature Generation 700 begins with 704, in which P₁'s 602 first message is generated by, at 706, P ₁ 602 chooses

${\mathrm{<figure-callout\; id="1"\; label="r"\; filenames="US11516658-20221129-D00002.png,US11516658-20221129-D00005.png"\; state="\{\{state\}\}">r</figure-callout>}}_1\stackrel{r}{\leftarrow }{Z}_q,$
and computes R₁=g ^{r 1} 604. At 708, P ₁ 602 computes C₁=Enc_pk(r₁) 606. At 708, P ₁ 602 generates 608 and sends (prove,1,(R₁,C₁),(r₁,sk)) 610 to

_zk ^{R PDL} .

At 712, P₂'s 612 first message is generated by, at 714, P ₂ 612 receives (proof,1,(R₁,C₁)) 610 from

_zk ^{R PDL} , if not, it aborts. At 716, P ₂ 612 verifies π ₁ 604, chooses

${\mathrm{<figure-callout\; id="2"\; label="r"\; filenames="US11516658-20221129-D00003.png,US11516658-20221129-D00004.png"\; state="\{\{state\}\}">r</figure-callout>}}_2\stackrel{r}{\leftarrow }{Z}_q,$
and computes R₂=g ^r ₂ 612. At 718, P ₂ 612 generates 614 and sends (prove,2,R₂,r₂) 620 to

_zk ^{R DL} . At 720, P ₂ 612 computes u=R₁ ^{r 2} , h=H₂(m,u) 616. At 722, P ₂ 612 chooses

$\rho \stackrel{r}{\leftarrow }{Z}_q$
and computes C₂=K_ID ⁽²⁾⊗(r₂⊗C₁⊗Enc_pk(ρ·q+h)) 618. At 724, P ₂ 612 sends C ₂ 620 to P ₁ 602.

At 726, P ₁ 602 generates the output by, at 728, P ₁ 602 receives (proof,2,R₂) 620 from

_zk ^{R DL} ; if not; it aborts. At 730, P ₁ 602 computes S′=Dec_sk(C₂) mod q, 622 then computes S=S′·K _ID ⁽¹⁾ 624. At 732, P ₁ 602 computes u=R₂ ^{r 1} and h=H₂(m,u). At 734, P ₁ 602 verifies (h,S) 626 by the identity ID, if the signature is valid, it then outputs (h,S) 626, otherwise, it aborts.

Correctness. Due to C₁=Enc_pk(r₁), C₂=K_ID ⁽²⁾⊗(r₂⊗C₁⊗Enc_pk(ρ·q+h)), R₂g^{r 2} , then P₁ can compute

$u={\mathrm{<figure-callout\; id="1"\; label="g\; r"\; filenames="US11516658-20221129-D00002.png,US11516658-20221129-D00005.png"\; state="\{\{state\}\}">g</figure-callout>}}^{r_{}}$ $\begin{array}{c}S={\mathrm{Dec}}_{\mathrm{sk}}\left(C_2\right)q·{\mathrm{<figure-callout\; id="1"\; label="t"\; filenames="US11516658-20221129-D00002.png,US11516658-20221129-D00005.png"\; state="\{\{state\}\}">t</figure-callout>}}_1{\mathrm{<figure-callout\; id="1"\; label="Q"\; filenames="US11516658-20221129-D00002.png,US11516658-20221129-D00005.png"\; state="\{\{state\}\}">Q</figure-callout>}}_1\\ ={\mathrm{Dec}}_{\mathrm{sk}}\left({\left(C_1^{{\mathrm{<figure-callout\; id="2"\; label="r"\; filenames="US11516658-20221129-D00003.png,US11516658-20221129-D00004.png"\; state="\{\{state\}\}">r</figure-callout>}}_2}+{\mathrm{Enc}}_{\mathrm{pk}}\left(\rho ·q+h\right)\right)}^{K_{\mathrm{ID}}^{\left(2\right)}}\right)q·K_{\mathrm{ID}}^{\left(1\right)}\\ ={{\mathrm{Dec}}_{\mathrm{sk}}\left({{\mathrm{Enc}}_{\mathrm{pk}}\left(r_1\right)}^{{\mathrm{<figure-callout\; id="2"\; label="r"\; filenames="US11516658-20221129-D00003.png,US11516658-20221129-D00004.png"\; state="\{\{state\}\}">r</figure-callout>}}_2}+{\mathrm{Enc}}_{\mathrm{pk}}\left(\rho ·q+h\right)\right)}^{K_{\mathrm{ID}}^{\left(2\right)}}\mathrm{mod}q·K_{\mathrm{ID}}^{\left(1\right)}\\ =\left(\left({\mathrm{<figure-callout\; id="1"\; label="r"\; filenames="US11516658-20221129-D00002.png,US11516658-20221129-D00005.png"\; state="\{\{state\}\}">r</figure-callout>}}_1{\mathrm{<figure-callout\; id="2"\; label="r"\; filenames="US11516658-20221129-D00003.png,US11516658-20221129-D00004.png"\; state="\{\{state\}\}">r</figure-callout>}}_2+h+\rho ·q\right)·K_{\mathrm{ID}}^{\left(2\right)}\right)\mathrm{mod}q·K_{\mathrm{ID}}^{\left(1\right)}\\ =\left({\mathrm{<figure-callout\; id="1"\; label="r"\; filenames="US11516658-20221129-D00002.png,US11516658-20221129-D00005.png"\; state="\{\{state\}\}">r</figure-callout>}}_1{\mathrm{<figure-callout\; id="2"\; label="r"\; filenames="US11516658-20221129-D00003.png,US11516658-20221129-D00004.png"\; state="\{\{state\}\}">r</figure-callout>}}_2+h\right)·K_{\mathrm{ID}}^{\left(2\right)}{K}_{\mathrm{ID}}^{\left(1\right)}\end{array}$

Therefore, the correctness of the proposed distributed signing protocol for the identity-based signature scheme in the IEEE P1363 standard is proved.

Security Analysis. Security Model. Definition 2. IND-CPA Security Let

be a PPT adversary, C be a challenger. The IND-CPA security is defined by the following game with a negligible advantage.

• • 1. C generates the key-pair (pk,sk),
    
    obtains pk.
  • 2.
    
    outputs two messages m₀,m₁ (|m₀|=|m₁|).
  • 3. C selects

$\mathrm{br}\stackrel{r}{\leftarrow }\left\{0,1\right\}$

• •  and encrypts m_b such that C*=Enc_pk(m_b), then returns C* to C.
  • 4.
    
    outputs b′,
    
    wins the game when b′=b.

Definition 3. We define an experiment

_,π(1ⁿ), where π is a secure digital signature scheme such that π=(Gen, Sign, Verify).

• • 1. (vk,sk)←Gen(1ⁿ).
  • 2. (m*, σ*)←
    
    ^{sign sk (·)}(1ⁿ,vk).
  • 3. Let
    
    be the set of all m which can be queried.
    
    can query oracle with m. Then, the experiment outputs 1 if m*∉
    
    and Verify(m*,σ*)=1.

Definition 4. A signature scheme π is existentially unforgeable under CMA if for every probabilistic polynomial-time oracle machine

, there exists a negligible function μ such that for every n,
Pr[

_,π(1ⁿ)=1]<μ(n)

In the distributed signature generation phase, we define the experiment Dist

_,Π(1ⁿ)

an adversary A who can control a party P_b (b∈1,2). In protocol Π, the honest party P_3-b instructs a stateful oracle Π_b(.,.).

can choose which message needs to be signed, and can interact with party P_3-b. In this definition, the distributed signature generation phase should run after the distributed key generation phase. The oracle is queried by two inputs: a session identifier and an input, and works as follows:

• • 1. Upon receiving a query (sid,m), and if the distributed key generation phase has not been executed, then the oracle output ⊥.
  • 2. Upon receiving a query (sid,m) after the distributed key generation phase has been executed, the oracle invokes a machine M_sid which is instructed by P_3-b in protocol Π. M_sid is initialized with key share and any stored information from KGC in the distributed key generation phase. If P_3-b sends the first message in the signing phase, then the oracle outputs this message.
  • 3. Upon receiving a query (sid,m) after the distributed key generation phase has executed and sid has been queried, the oracle sends the message m to M_sid, and returns the next message output from M_sid. If M_sid finishes execution, then it returns M_sid's output.

In this experiment,

can control a party P_b with oracle access to Π_b.

wins if it can forge a signature on a message m* which has not been queried in the oracle.

Definition 5. We define an experiment Dist

_,Π(1ⁿ). Let π=(Gen, Sign, Verify) be a two-party signing phase.

• • 1. (m*, σ* )←
    
    ^{(Π b (.,.))}(1ⁿ).
  • 2. Let
    
    be the set of all m which can be queried.
    
    can query oracle with (sid,m). Then, the experiment outputs 1 if m*∉
    
    and Verify(m*, σ*)=1.

Definition 6. A protocol Π is a secure two-party protocol for distributed signature generation for π, if for every P.P.T algorithm

and every b∈{1,2}, there exists a negligible function μ for every n, Pr[Dist

_,Π(1ⁿ)=1]≤μ(n).

Definition 7. The functionality

_BLMQ is combined with two functions: extraction and signing. The extraction function can be queried only once, after the key extraction phase, the signing function can be queried an arbitrary number of times.

_BLMQ works with parties P₁ and P₂, and is defined as follows:

• • 1. After receiving Extract(params,ID) from both P₁ and P₂:
    • (a)Generate a BLMQ key pair (h_ID,K_ID) by computing h_ID=H₁(ID), and choosing a random number

$\mathrm{sr}\stackrel{r}{\leftarrow }{Z}_p.$

• • •  Compute K_ID(h_ID+s)⁻¹Q₁. Choose a hash function H_q:{0,1}*→{0,1}^{└ log \q\┘} and store params,ID,H_q,K_ID
    • (b) Send h_ID and H_q to both P₁ and P₂.
    • (c) Ignore future queries to Extract.
  • 2. After receiving Sign(sid,m) from both P₁ and P₂, if Extract was queried and sid has not been used, then compute a BLMQ signature (h,S) of the message m by follows:
    • (a) Choose a number

$r\stackrel{r}{\leftarrow }{Z}_q,$

• • •  compute u=g^r.
    • (b) Compute h-H_q(m,u), and S(r+h)K_ID.

Finally, send the signature (h,S) to both P₁ and P₂.

Definition 8. The Paillier-EC assumption is hard for every P.P.T adversary A there exists a negligible function μ that Pr[Paillier−

(1ⁿ)=1]≤½+μ(n). Let G be a generator of a group G of order q. The experiment Paillier−

(1ⁿ) is defined as follows:

• • 1. Generate a Paillier key pair (pk,sk).
  • 2. Select r₀,

${\mathrm{<figure-callout\; id="1"\; label="r"\; filenames="US11516658-20221129-D00002.png,US11516658-20221129-D00005.png"\; state="\{\{state\}\}">r</figure-callout>}}_1\stackrel{r}{\leftarrow }{Z}_q$
and compute R=r₀·G.

• • 3. Select b∈{0,1} and compute C=Enc_pk(r_b).
  • 4. Let b′=
    
    ^{O C (.,.,.)} if Dec_sk(C′)=α+β·r_bq, O_C(C′, α, β)=1
  • 5. If and only if b′b, the experiment outputs 1.

Proof of Security. In this section, we prove that the protocol H is a secure two-party protocol for distributed signature generation as shown in the theorem below.

Theorem 1 If Paillier encryption is indistinguishable under CPA (chosen plaintext attack), and BLMQ signature is existentially-unforgeable under a CMA (chosen message attack), then our two-party protocol for distributed signature generation of identity-based signature in IEEE P1363 is secure.

Proof. We now prove the security of our proposed protocol. In addition, if A can break the protocol of zero-knowledge with the probability ε, then it can break the protocol with probability ε+μ(n),μ is a negligible function.

In our proof, for any adversary A that launches an attack on the protocol, we construct an adversary S who forges a BLMQ signature in Definition 3 with the probability that is negligibly close to the probability that A forging a signature in Definition 5.

If Paillier encryption is indistinguishable under CPA, then for every P.P.T algorithm

and every b∈{1,2}, there exists a P.P.T algorithm S and a negligible function μ such that for every n,
|Pr[Sign_S,π(1ⁿ)=1]−Pr[Dist

_,529(1ⁿ)]=11≤μ(n)  (1)

where Π denotes the protocol of Phase 2, and π denotes the BLMQ signature scheme. If we assume that BLMQ signature is secure, there exists a negligible function μ′ for every n that Pr[Sign_S,π(1ⁿ)=1]≤μ′(n). With Equation 1, we conclude that Pr[

_,Π(1ⁿ)=1]≤μ(n)+μ′(n). We now prove Equation 1 for b=1 and b=2 respectively.

When b=1 i.e., P₁ is the corrupted one, let

be a P.P.T adversary in Dist

_,Π(n), we construct a P.P. T adversary S for Sign_S,π(n). S simulates the execution for

as follows:

• • 1. In Sign, S receives (1ⁿ,ID), where ID is the user's identity which could generate the user's public key H₁(ID).
  • 2. S invokes A on input 1ⁿ and simulates oracle
    
    in DistSign. Upon receiving a query (sid,m), where sid is a new session identifier, S queries its signing oracle in Sign with m and receives a signature (h,S) where S=S·Q₁. We slightly modify the oracle that lets the signing oracle return S to the simulator S. We let the adversary
    
    compute t₁·Dec_sk(C₂). u can be computed by the BLMQ signature verification algorithm. Then,
    
    queries S with identifier sid. The query is processed as follows:
    • (a) The first message (sid,m₁) is processed by parsing the message m₁ since m₁=(prove,1,(R₁,C₁),(r₁,sk)). If R₁=g^{r 1} and C₁=Enc_pk(r₁), then S sets R₂=u^{l/r 1} , and sets the oracle's reply message is (proof,2,R₂) and sends it to
      
      . Otherwise, S simulates P₂ abortion.
    • (b) S chooses

$\rho \stackrel{r}{\leftarrow }{Z}_q,$
then computes C₂=Enc_pk(S+ρ·q)(t₁)⁻¹, where S is the value from the signature S received from

_BLMQ, and sets the oracle's reply message is C₂ and sends it to

.

• • 3. Once
    
    halts and outputs (m*,σ*), S outputs (m*,σ*) and halts.

We now prove that the equation 1 holds. In Phase 2, the view of

in the simulation of the distributed signature generation phase is computationally indistinguishable from its view from a real process of Phase 2. The difference between

's view in real execution and in the simulation is C₂. In addition, because u is generated randomly by

_BLMQ, and the distribution between u^{1/r 1} and g^{r 2} is identical, so that R₂'s distribution between real execution and the simulation is identical. The zero-knowledge proof and verification are also identically distributed. So, the only difference is C₂. During the simulation, it is an encryption of (S+ρ·q)(t₁)⁻¹, in real execution, it is a ciphertext of (r+ρ·q+h)·K_ID ⁽²⁾.

We observe that, in the definition of BLMQ signature, S=(r+h)K_ID=(r+h)K_ID ⁽¹⁾K_ID ⁽²⁾ mod q. Thus, (r+h)K_ID ⁽²⁾=(t₁)⁻¹. S mod q means that there exists an integer I∈Z_q that (r+h)K_ID ⁽²⁾=(t₁)⁻¹. S+l·q. In the protocol, the operation without a modular reduction is that (r+h)K_ID ⁽²⁾. Therefore, the difference between the real execution and the simulation with S is:

1. Real: the ciphertext C₂ encrypts (t₁)⁻¹. S mod q+l·q+ρ·q

2. Simulation: the ciphertext C₂ encrypts (t₁)⁻¹. S mod q+ρ·q

It is worth pointing out that the distribution between real execution and simulation is identical. This proves that Equation 1 holds for b=1.

When b=2, i.e. P₂ is the corrupted one. The message C₂ sent by P₂ may be corrupted by

, and the simulator cannot detect whether C₂ is a correct ciphertext. S simulates P₁ abortion at some random point, S chooses

$i\stackrel{r}{\leftarrow }\left\{1,\dots ,p\left(n\right)+1\right\}$
randomly, where p(n) is the upper bound number of queries made by A. S chooses i with the probability of

$\frac{1}{p\left(n\right)+1},$
that is S simulates A's view with a probability of

$\frac{1}{p\left(n\right)+1}.$
The probability of S forging a signature in Sign is at least

$\frac{1}{p\left(n\right)+1}$
times of the probability that A forges a signature in DistSign.

Let

be a P.P.T adversary in Dist

_,Π(n), we construct a P.P.T adversary S for Sign_S,π(n). The adversary S simulates the execution for A as follows:

• • 1. In Sign, s receives (1ⁿ,ID), where ID is the identity to generate the user's public key H₁(ID).
  • 2. S invokes
    
    on input 1ⁿ and simulates oracle
    
    in DistSign. Upon receiving a query (sid,m), where sid is a new session identifier, S sets the oracle reply with (proof,1,R₁,C₁) where R₁=u^{1/r 2} , and sends it to
    
    . Then, S queries its signing oracle in Sign with m and receives a signature (h,S) and S can compute u in the BLMQ signature verification algorithm. Then,
    
    queries S with identifier sid, which is processed as follows:
    • (a) The first message (sid,m₁) is processed by parsing m₁ as (prove,2,R₂,r₂) which should be sent to

${ℱ}_{\mathrm{zk}}^{R_{\mathrm{DL}}}.$

• • •  S verifies the equation R₂=g^{r 2} and if the equation does not hold, it simulates P₁ causing it to abort the protocol.
    • (b) The second message (sid,m₂) is processed by parsing m₂ as C₂. If this is the ith query by
      
      , then S simulates P₁'s abortion. Otherwise, it continues.
  • 3. Once
    
    halts and outputs (m*,σ*), S outputs (m*,σ*) and halts.

Let j be the first query to oracle Π with (sid,m₂), and P₁ does not obtain the valid signature (h,S) which corresponds to the public key Π₁(ID). If j=i, then the difference between the distribution of

's view in real execution and the simulated execution by S is the ciphertext C₁. Since S does not hold the Paillier private key in the simulation, the indistinguishability of the simulation follows from a reduction of indistinguishability of the encryption scheme under Chosen-Plaintext Attack (CPA).

We can learn that

$\mathrm{Pr}\left[{\mathrm{Sign}}_{S,\pi }\left(1^n\right)=1❘i=j\right]-\mathrm{Pr}\left[\mathrm{Dist}{,\Pi }_{}\left(1^n\right)=1\right]+\mu \left(n\right)$ $\mathrm{so}$ $\mathrm{Pr}\left[\mathrm{Dist}{,\Pi }_{}\left(1^n\right)=1\right]+\frac{\mathrm{Pr}\left[{\mathrm{Sign}}_{S,\pi }\left(1^n\right)=1\right]}{1\text{/}\left(p\left(n\right)+1\right)}+\mu \left(n\right)$ $i.e.\mathrm{Pr}\left[{\mathrm{Sign}}_{S,\pi }\left(1^n\right)=1\right]\ge \frac{\mathrm{Dist}{,\Pi }_{}\left(1^n\right)=1}{1\text{/}\left(p\left(n\right)+1\right)}-\mu \left(n\right)$

It means that if

can forge a signature in Dist

_,Π(1ⁿ) with a non-negligible probability, then S can forge a signature in Sign_S,π.(1ⁿ) with a non-negligible probability. Due to BLMQ signature being existentially unforgeable, then our protocol is secure.

Theorem 2 If the Paillier-EC assumption is hard, then, Phase 2 computes

_BLMQ securely in the

_zk, model in the presence of a malicious static adversary.

Proof. We analyze the security for the case of a corrupted P₁ and a corrupted P₂. First, let P₁ be corrupted by an adversary

, we construct a simulator S.

In the signing phase, P₁ cannot do anything. All it does is to generate u and receive a ciphertex C₂ from P₂. Due to ability to simulate the protocol in the signing phase, a simulator can make the result equal to u in a signature received from

_BLMQ. Therefore, the main challenge is to prove that the simulator can generate P₁'s view of the decryption of C₂, given only S,(h,S) from

_BLMQ where S=S·Q₁.

• • 1. On input Sign(sid,m), S sends Sign(sid,m) to
    
    _BLMQ and receives a signature (h,S).
  • 2. S computes u using the BLMQ verification procedure.
  • 3. S invokes
    
    with input Sign(sid,m) and simulates the following messages to ensure that the result is u:
    • (a) S receives (prove,1,(R₁,C₁),(r₁,sk)) from
      
      .
    • (b) If R₁=g^{r 1} , then S sets R₂=u^{1/r 1} , and sends (proof,2,R₂) to
      
      .
    • Otherwise, S simulates P₂ abort, sends abortion to
      
      _BLMQ.
  • 4. S chooses ρrZ_q, then computes C₂=Enc_pk(S+ρ·q)(t₁)⁻¹, where S is the value from the signature S received from
    
    _BLMQ, and sets the oracle reply
    
    with C₂.

The only difference between the view of

in real and simulation is the way that C₂ is chosen. In the simulation, it is a ciphertext of (S+ρ·q)(t₁)⁻¹, in real execution, it is a ciphertext of (r+ρ·q+h)·K_ID ⁽²⁾. It is statistically close between these two scenarios.

Let P₂ be corrupted by

, and we construct a simulator S. In the signature generation phase, S works as follows:

• • 1. On input Sign(sid,m), S sends Sign(sid,m) to
    
    _BLMQ and receives a signature (h,S).
  • 2. S computes u using the BLMQ verification procedure.
  • 3. S invokes
    
    with Sign(sid,m), sets R₁=u^{1/r 2} and sends
    
    the message (proof,1,(R₁,C₁)) internally.
  • 4. S receives (prove,2,R₂,r₂) which indicates that
    
    intends to send to

${ℱ}_{\mathrm{zk}}^{R_{\mathrm{DL}}}.$

• • 5. S verifies the equation R₂=g^{r 2} . If the equation does not hold, then S simulates P₁ aborting.
  • 6. S receives C₂ from P₂, decrypts C₂ by using sk and reduces the result by modulo q. S checks if it is equal to (({tilde over (r)}₁r₂+h)K_ID ⁽²⁾)q, where C₁=Enc_pk({tilde over (r)}₁) If the equation holds, then S sends ‘continue’ to the trusted party P₁, and lets P₁ provide the output. Otherwise, S sends ‘abort’ to P₁ to instruct P₁ to abort.

We modify S to a simulator S who have an oracle O_c(c′,α,β). The oracle O_c(c′,α,β) outputs 1 if Dec_sk(c′,α,β)=α+β·{tilde over (r)}₁ mod q. S′ simulates S as follows:

1. Compute α=h·K_ID ⁽²⁾ mod q.

2. Compute β=r₂·K_ID ⁽²⁾ mod q.

3. Query O_c(c′,α,β) to get b.

4. If b=1, S′ continues to simulate S.

S accepts if S′ accepts because these checks by S and S′ are equivalent. Due to the Paillier-EC assumption, we conclude that the output generated by S in the ideal model is computationally indistinguishable from the real execution. Since the output distributions of S and S are identical in the ideal model; therefore, the output generated by S in the ideal model is computationally indistinguishable from the real execution.

Zero-knowledge Proof. In our protocol, the main zero-knowledge proof for the relation is R_PDL. We use this zero-knowledge proof directly. Thus, we omit the construction here.

Proof that r is a discrete log of R. In this section, we propose the constructions of zero-knowledge proof for the relation R_DL such that
R _DL={(G ₃ ,g,R,R,r)|R=g ^r}

We use Schnorr Zero Knowledge Proof to achieve this requirement. In the signing phase, if a malicious P₂ sends (prove,R₂,r₂) to

_zk ^{R DL} , it also receives a correct message (proof,R₁) from

_zk ^{R DL} . However, P₁'s message in the protocol is assumed to be zero knowledge and hence does not reveal any information about the random integer r₁. The detailed zero-knowledge proof protocol is described as follows:

The joint statement is (G₃,g,R), the prover has a witness r and wishes to prove that R=g^r. When the Schnorr zero-knowledge proof generation algorithm uses as input the public parameter P=(R,g,Q₁,Q₂,G₁,G₂,G₃), signer's identity ID, secret value r, and public value V=g^r. It outputs (z,e) as follows:

1. Select

$k\stackrel{r}{\leftarrow }{Z}_q,$
compute K=g^k.

2. Compute e=H(P,ID,K,V)

3. Compute z=K−re

When the Schnorr zero-knowledge proof verification algorithm uses as input the public parameter P=(R,g,Q₁,Q₂,G₁,G₂,G₃), signer's identity ID, public value V=g^r and Schnorr zero-knowledge proof values(z,e). Its outputs are valid or invalid as follows:

1. Perform public key validation for V.

2. Let K_v=g^zV^e.

3. Let e_v=H(P,ID,K_v,V)

4. If e_v=e, then the signature is verified.

Performance and Experimental Results. In embodiments, the MIRACL Cryptographic SDK may be used to implement embodiments of protocols. For example, embodiments of protocols were implemented and deployed on two Android devices (Google Nexus 6 with a Quad-core, 2.7 GHz processor, 3G bytes memory and the Google Android 7.1.2 operating system; Samsung Galaxy Nexus with a dual-core 1.2 GHz processor, 1G bytes memory and the Google Android 4.0 operating system) and a PC with an i7-6700 processor, 8G bytes memory and the Microsoft Windows 7 operating system. As shown in FIG. 8, in this example, the two Android phones denote two participants 802, 804, and the PC 806 represents the KGC.

Table 1 shows the different security levels of the curves.

TABLE 1
Security level

		Symmetric cipher key	Bitlength of p in prime
	Type	length	field Fp

	MNT k = 6	80	160
	BN k = 12	128	256
	KSS k = 18	192	512
	BLS k = 24	256	640

In order to evaluate the different security levels, the following curves from Type-3 pairings were tested:

1. MNT k=6 curve that achieves AES-80 security.

2. BN k=12 curve that achieves AES-128 security.

3. KSS k=18 curve that achieves AES-192 security.

4. BLS k=24 curve that achieves AES-256 security.

In an embodiment, the BLMQ signature scheme was implemented on a Samsung Galaxy Nexus, and the running time of each algorithm for BLMQ signature scheme is shown in Table 2 and FIG. 9.

TABLE 2
Each algorithm of BLMQ Signature (averages
were computed over 1,000 executions).

	KeyGen	Sign	Verify
CurveAlgorithm	(milliseconds)	(milliseconds)	(milliseconds)

k = 6	5.83	22.16	139.94
k = 12	8.22	66.01	188.61
k = 18	25.99	733.96	2738.34
k = 24	61.76	18676.92	36478.61

Progress in each instance of the distributed key generation phase was analyzed. Table 3 and FIG. 10 show the running times of the instances and the verification algorithm.

TABLE 3
Distributed key generation and verification (averages
were computed over 1,000 executions).

	Setup	Distribute	Verify
CurveProgress	(milliseconds)	(milliseconds)	(milliseconds)

k = 6	145.27	567.42	122.42
k = 12	145.92	1107.8	191.17
k = 18	2055.02	6211.14	2364.34
k = 24	18506.28	8268.26	32116.37

The computation cost of progress in each instance in the distributed signature phase. Table 4 and FIG. 11 show the results obtained. Step 1 denotes the progress made by P₁ before P₁ sends a message to P₂, Step 2 denotes the progress made by P₂, and Step 3 denotes the progress made by P₁ after receiving message from P₂. Table 5 presents the total running times.

TABLE 4
Distributed signature generation (averages
were computed over 1,000 executions).

CurveProgress	Step	1	Step 2	Step 3

k = 6	146.03	ms	222.43	ms	134.49	ms
k = 12	198.28	ms	336.42	ms	174.83	ms
k = 18	1647.47	ms	2782.22	ms	1505.2	ms
k = 24	18419.27	ms	35972.69	ms	17812.87	ms

TABLE 5
Distributed signature generation run
time (average over 1,000 executions).

	CurveDevice		P1	P2

	k = 6	280.52	ms	222.43	ms
	k = 12	373.11	ms	336.42	ms
	k = 18	3152.67	ms	2782.22	ms
	k = 24	36232.14	ms	35972.69	ms

Conclusion. The ubiquity of wireless communications will continue in the future, ranging from autonomous vehicles to smart cities, and so on. Thus, ensuring the security of such wireless communications will become increasingly important and challenging due to the increasingly complex environment and requirements.

In this paper, we have proposed an efficient and secure two-party distributed signing protocol for the identity-based signature scheme in the IEEE P1363 standard, which is designed to generate a valid signature without the need to recover the private key. Both the security analysis and the performance evaluation of our proposed protocol have demonstrated its potential to be used for the distributed signature generation in the wireless environment.

An exemplary block diagram of a computing device 1200, in which entities and processes involved in the embodiments described herein may be implemented, is shown in FIG. 12. Computing device 1200 may typically be implemented using one or more programmed general-purpose computer systems, such as embedded processors, systems on a chip, personal computers, workstations, server systems, and minicomputers or mainframe computers, or in distributed, networked computing environments. Computing device 1200 may include one or more processors (CPUs) 1202A-1202N, input/output circuitry 1204, network adapter 1206, and memory 1208. CPUs 1202A-1202N execute program instructions in order to carry out the functions of the present communications systems and methods. Typically, CPUs 1202A-1202N are one or more microprocessors, such as an INTEL CORE® processor.

FIG. 12 illustrates an embodiment in which computing device 1200 is implemented as a single multi-processor computer system, in which multiple processors 1202A-1202N share system resources, such as memory 1208, input/output circuitry 1204, and network adapter 1206. However, the present communications systems and methods also include embodiments in which computing device 1200 is implemented as a plurality of networked computer systems, which may be single-processor computer systems, multi-processor computer systems, or a mix thereof.

Input/output circuitry 1204 provides the capability to input data to, or output data from, computing device 1200. For example, input/output circuitry may include input devices, such as keyboards, mice, touchpads, trackballs, scanners, analog to digital converters, etc., output devices, such as video adapters, monitors, printers, etc., and input/output devices, such as, modems, etc. Network adapter 1206 interfaces device 1200 with a network 1210. Network 1210 may be any public or proprietary LAN or WAN, including, but not limited to the Internet.

Memory 1208 stores program instructions that are executed by, and data that are used and processed by, CPU 1202 to perform the functions of computing device 1200. Memory 1208 may include, for example, electronic memory devices, such as random-access memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), electrically erasable programmable read-only memory (EEPROM), flash memory, etc., and electro-mechanical memory, such as magnetic disk drives, tape drives, optical disk drives, etc., which may use an integrated drive electronics (IDE) interface, or a variation or enhancement thereof, such as enhanced IDE (EIDE) or ultra-direct memory access (UDMA), or a small computer system interface (SCSI) based interface, or a variation or enhancement thereof, such as fast-SCSI, wide-SCSI, fast and wide-SCSI, etc., or Serial Advanced Technology Attachment (SATA), or a variation or enhancement thereof, or a fiber channel-arbitrated loop (FC-AL) interface.

The contents of memory 1208 may vary depending upon the function that computing device 1200 is programmed to perform. In the example shown in FIG. 12, exemplary memory contents are shown representing routines and data for embodiments of the processes described above. However, one of skill in the art would recognize that these routines, along with the memory contents related to those routines, may not be included on one system or device, but rather distributed among a plurality of systems or devices, based on well-known engineering considerations. The present systems and methods may include any and all such arrangements.

In the example shown in FIG. 12, memory 1208 is shown as including both key generation center routines 1210 and user device routines 1212. However, in many embodiments, only one such set of routines may be present in the device. For example, a key generation center (KGC) may be implemented using one or more server computer systems and may include only key generation center routines 1210, while a user device may be may be implemented using a mobile device, such as a smartphone, and may include only user device routines 1212.

In the example shown in FIG. 12, key generation center routines 1210 may include key generation routines 1214 and signature generation routines 1216, while user device routines 1212 may include key generation routines 1218 and signature generation routines 1220. Key generation routines 1214 may include software routines to perform the KGC portion of Phase 1 of embodiments of processes, as described above. Signature generation routines 1216 may include software routines to perform the KGC portion of Phase 2 of embodiments of processes, as described above. Key generation routines 1218 may include software routines to perform the user device portion of Phase 1 of embodiments of processes, as described above. Signature generation routines 1220 may include software routines to perform the user device portion of Phase 2 of embodiments of processes, as described above. Operating system 1222 may provide overall system functionalities.

As shown in FIG. 12, the present communications systems and methods may include implementation on a system or systems that provide multi-processor, multi-tasking, multi-process, and/or multi-thread computing, as well as implementation on systems that provide only single processor, single thread computing. Multi-processor computing involves performing computing using more than one processor. Multi-tasking computing involves performing computing using more than one operating system task. A task is an operating system concept that refers to the combination of a program being executed and bookkeeping information used by the operating system. Whenever a program is executed, the operating system creates a new task for it. The task is like an envelope for the program in that it identifies the program with a task number and attaches other bookkeeping information to it.

Many operating systems, including Linux, UNIX®, OS/2®, and Windows®, are capable of running many tasks at the same time and are called multitasking operating systems. Multi-tasking is the ability of an operating system to execute more than one executable at the same time. Each executable is running in its own address space, meaning that the executables have no way to share any of their memory. Thus, it is impossible for any program to damage the execution of any of the other programs running on the system. However, the programs have no way to exchange any information except through the operating system (or by reading files stored on the file system).

Multi-process computing is similar to multi-tasking computing, as the terms task and process are often used interchangeably, although some operating systems make a distinction between the two. The present invention may be a system, a method, and/or a computer program product at any possible technical detail level of integration. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention. The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device.

The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing.

A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (for example, light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire. Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.

Computer readable program instructions for carrying out operations of the present invention may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, configuration data for integrated circuitry, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++, or the like, and procedural programming languages, such as the “C” programming language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).

In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.

Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions. These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.

These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks. The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer implemented process, such that the instructions which execute on the computer, other programmable apparatus, or other device implement the functions/acts specified in the flowchart and/or block diagram block or blocks. The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s).

In some alternative implementations, the functions noted in the blocks may occur out of the order noted in the Figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or that carry out combinations of special purpose hardware and computer instructions. Although specific embodiments of the present invention have been described, it will be understood by those of skill in the art that there are other embodiments that are equivalent to the described embodiments. Accordingly, it is to be understood that the invention is not to be limited by the specific illustrated embodiments, but only by the scope of the appended claims.

From the above description, it can be seen that the present invention provides a system, computer program product, and method for the efficient execution of the described techniques. References in the claims to an element in the singular is not intended to mean “one and only” unless explicitly so stated, but rather “one or more.” All structural and functional equivalents to the elements of the above-described exemplary embodiment that are currently known or later come to be known to those of ordinary skill in the art are intended to be encompassed by the present claims. No claim element herein is to be construed under the provisions of 35 U.S.C. section 112, sixth paragraph, unless the element is expressly recited using the phrase “means for” or “step for.”

While the foregoing written description of the invention enables one of ordinary skill to make and use what is considered presently to be the best mode thereof, those of ordinary skill will understand and appreciate the existence of alternatives, adaptations, variations, combinations, and equivalents of the specific embodiment, method, and examples herein. Those skilled in the art will appreciate that the within disclosures are exemplary only and that various modifications may be made within the scope of the present invention. In addition, while a particular feature of the teachings may have been disclosed with respect to only one of several implementations, such feature may be combined with one or more other features of the other implementations as may be desired and advantageous for any given or particular function. Furthermore, to the extent that the terms “including”, “includes”, “having”, “has”, “with”, or variants thereof are used in either the detailed description and the claims, such terms are intended to be inclusive in a manner similar to the term “comprising.”

Other embodiments of the teachings will be apparent to those skilled in the art from consideration of the specification and practice of the teachings disclosed herein. The invention should therefore not be limited by the described embodiment, method, and examples, but by all embodiments and methods within the scope and spirit of the invention. Accordingly, the present invention is not limited to the specific embodiments as illustrated herein, but is only limited by the following claims.

Claims (10)

What is claimed is:

1. A system for generating a distributed cryptographic key and a cryptographic signature comprising:

an electronic computing device operating as a key generating center;

a first electronic device;

a second electronic device;

the key generating center, the first electronic device, and the second electronic device in communication with each other to generate a distributed cryptographic key by:

creating a first part of a private cryptographic key;

creating a second part of the private cryptographic key;

creating a public cryptographic key;

transmitting the public cryptographic key and the first part of the private cryptographic key to the first electronic device; and

transmitting the public cryptographic key and the second part of the private cryptographic key to the second electronic device;

the first electronic device to provide a cryptographic signature to the second electronic device by

transmitting from the first electronic device to the second electronic device an indicator that a cryptographic signature for a message will be transmitted;

upon receiving the first transmission, the second electronic device computing a first intermediate value and a second intermediate value using a first random number and a second random number and transmitting to the first electronic device the first intermediate value and the second intermediate value;

upon receiving the second transmission, the first electronic device computing a third intermediate value using a third random number, a fourth random number, and the message, and transmitting to the second electronic device the third intermediate value;

upon receiving the third transmission, the second electronic device computing a fourth intermediate value and a fifth intermediate value and transmitting to the first electronic device the fourth intermediate value and the fifth intermediate value;

upon receiving the fourth transmission, the first electronic device computing the cryptographic signature for the message and transmitting the cryptographic signature to the second electronic device; and

upon receiving the cryptographic signature, the second electronic device verifying the cryptographic signature by computing a sixth intermediate value and comparing the sixth intermediate value with the cryptographic signature.

2. The system of claim 1, wherein the distributed cryptographic key

is based upon an identity of the first electronic device.

3. The system of claim 2, wherein generating the distributed cryptographic key comprises using the identity of the first electronic device as an input to a hash function.

4. The system of claim 1, wherein the Paillier method is used to generate the distributed cryptographic key.

5. The system of claim 1, wherein the first electronic device, upon receiving the second transmission, computes the third intermediate value using an output of a hash function wherein the message is an input of the hash function.

6. A method of generating a distributed cryptographic key and a cryptographic signature comprising the steps of:

creating, at an electronic computing device operating as a key generation center, a first part of a private cryptographic key;

creating, at the key generation center, a second part of the private cryptographic key;

creating, at the key generation center, a public cryptographic key;

transmitting the public cryptographic key and the first part of the private cryptographic key from the key generation center to a first electronic device;

transmitting the public cryptographic key and the second part of the private cryptographic key from the key generation center to a second electronic device;

transmitting from the first electronic device to the second electronic device an indicator that a cryptographic signature for a message will be transmitted;

upon receiving the first transmission, the second electronic device computing a first intermediate value and a second intermediate value using a first random number and a second random number and transmitting to the first electronic device the first intermediate value and the second intermediate value;

upon receiving the second transmission, the first electronic device computing a third intermediate value using a third random number, a fourth random number, and the message, and transmitting to the second electronic device the third intermediate value;

upon receiving the third transmission, the second electronic device computing a fourth intermediate value and a fifth intermediate value and transmitting to the first electronic device the fourth intermediate value and the fifth intermediate value;

upon receiving the fourth transmission, the first electronic device computing the cryptographic signature for the message and transmitting the cryptographic signature to the second electronic device;

upon receiving the cryptographic signature, the second electronic device verifying the cryptographic signature by computing a sixth intermediate value and comparing the sixth intermediate value with the cryptographic signature.

7. The method of claim 6, wherein the distributed cryptographic key is based upon an identity of the first electronic device.

8. The method of claim 7, wherein generating the distributed cryptographic key comprises using the identity of the first electronic device as an input to a hash function.

9. The method of claim 6, wherein the Paillier method is used to generate the distributed cryptographic key.

10. The method of claim 6, wherein the first electronic device, upon receiving the second transmission, computes the third intermediate value using an output of a hash function wherein the message is an input of the hash function.

Images